[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Block USB device when inserted and popup confirmation to select if it should be enabled

Posted on 2014-08-05
13
Medium Priority
?
559 Views
Last Modified: 2014-08-11
Hi,

I would like to have a small app to be installed on my windows 7 (and win 8) to "listen" if USB device is  inserted and if so, it should check the device type. If it is a HID Keyboard Device it should be blocked and popup a confirmation dialog if it might be enabled.

Is this possible or will the WM_DEVICECHANGE event be raised after it is already enabled to type to the system?
0
Comment
Question by:HugoHiasl
  • 6
  • 5
  • 2
13 Comments
 
LVL 86

Accepted Solution

by:
jkr earned 1000 total points
ID: 40241626
>>Is this possible or will the WM_DEVICECHANGE event be raised after it is already enabled to type to the system?

Yes and no. Yes, WM_DEVICECHANGE will be sent when the device is already enabled. No, you can't block that at user level, In order to achieve what you want, you will need a driver that addresses this issue at a way lower level.
0
 
LVL 12

Author Comment

by:HugoHiasl
ID: 40241642
With the upcoming BadUSB attack it could be a good idea to implement something like this as a countermeasure.

Unfortunately it will go beyond my experience as c# developer :-(

Thanks for your answer...
0
 
LVL 86

Expert Comment

by:jkr
ID: 40241767
Well, it's not that far out, check out http://msdn.microsoft.com/en-us/library/windows/hardware/ff554118%28v=vs.85%29.aspx ("Windows Driver Kit Samples Pack") where you will find a "KMDF HID Filter" among other samples, which should serve well as a starting point.
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 57

Assisted Solution

by:McKnife
McKnife earned 1000 total points
ID: 40243534
So it badusb-fear what this thread is about...
Please describe your attack scenario. Normally, you can protect against it very well if you use GPOs that disallow device installations of any kind and make those only possible for administrators.
0
 
LVL 12

Author Comment

by:HugoHiasl
ID: 40244484
That's right. It is the BadUSB-threat.

I know about the GPO even when I honestly did not take them into account.  I think they wont work for the given scenario:

Imagine a big company. The employees are  working with notebooks. They use flexible seating. So when an employees comes to the company they plug the notebook into a docking station.

They work with very large file, so they need to use usb-sticks. Even for transfer to client machines.

GPO could now disable device installation. But the they would not be able to use at home or in the company external keyboards or mouse devices. They also need to be able to plug in and use the usb memory sticks.

In my imaginary solution there is piece of software that checks (whenever a USB device is plugged in) for the device type. If it is HID Keyboard, it is automatically disabled and a window pops up warning the user that a keyboard is plugged in.

There are 2 options:
1. The user really plugged in a USB Keyboard and wants it to be activated, then he needs to be able to activate it. Probably the tool only delays activation. User gets warned and can take action if needed.

2. The user did not plug in a keyboard. He gets the warning and is able to remove the plugged in device immediately or he can keep the keyboard device disabled by button click.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 40245497
That is no attack scenario. Please describe what you are trying to protect against, how would an attacker proceed?
0
 
LVL 12

Author Comment

by:HugoHiasl
ID: 40245617
The attacker hacks the usb stack of a memory stick.

When he inserts it into a computer, the memory stick is recognized as normal memory stick and as well as a HID Keyboard device which is automatically enabled and can enter malicious commands to the system.  

In a TV report in Germany they showed this kind of attack. The malicious stick entered commands to download a tool from the internet, started it and the attacker was immediately able to do what he want with the computer. I don't know if they opened a ssh tunnel or telnet or a specific tool. But as soon as a person can directly enter commands to a computer, he has a lot of control over it.

Who knows... Probably some secret services use attack mechanisms like this already and none of us knows.

No Anti-Virus software can prevent this because it is a real input device like the main keyboard is also.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 40245704
You now describe the concept of badusb, still you don't answer my question.
What I expected could look like this: " my users often leave their pcs unattended and unlocked, how can I prevent that some fellow worker plugs his modified USB device into the machine and it executes arbitrary commands?"

So how is your attack looking like? Details please.
0
 
LVL 12

Author Comment

by:HugoHiasl
ID: 40245735
Ok..  I am more interested in the overall-scenario.

But in the terms that you like...

How to prevent being attacked when the users use a hacked usb stick or another hacked usb device.

My view is less how I could protect our users. My point of view is if it is possible to create a piece of software that will prevent all windows users from being attacked by this attack style because the consens at the moment is that it is not possible to protect yourself against this kind of attack.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 40245842
To respond to an attack, you need a scenario. So you seem to have watched a film where those devices enable an attacker to gain control of a computer that is unlocked, I guess? And what he does is simply plug in his manipulated device and that device starts executing commands in the name of the user that is logged on (probably an administrator). These commands may lead to downloads of malware and data theft and so on. Well why don't you say so in the first place? ;-)

These devices do no magic, they don't do privilege escalations - so normally, they will only be able to do what the user is able to do. If you leave your computer unlocked and unattended, I, the attacker, can do just the same manually. Those devices do it much quicker, that's all. So if you are afraid that the users leave their computers unattended, then simply prohibit to leave workspaces unattended and unlocked at any time. Sounds foolish? Well that's how it is. Those devices mostly do nothing else but use what the user can already do himself. So if you enable the user to get to data that is company critical, you now have just one more reason to deploy some sort of device control that works with whitelists of known devices. That's the best you can do.

My questions about your scenario arose because you seem to have a scenario in mind - you even have an app in mind against it. But if this app will ask "some HID device is connecting - continue?" who is it asking? The user? The user that voluntarily plugged in that device? No...
Or are you afraid of someone plugging in a device while the machine is unattended, then the device is doing some magic and infections and later he harvests the data that is now downloaded right onto the manipulated device? Well that's how many device control softwares already work, they block everything by default but whitelisted devices. Then if a new device comes they give the user some button to press and ask for a blocking exception that would be logged and need to be confirmed by an admin. Why not use that? Kaspersky's AV does this for example.
0
 
LVL 12

Author Comment

by:HugoHiasl
ID: 40245870
Yes it is asking the user that plugged it in.

If plugged in when unattended, then it should be locked. So no problem.

But if the user intentionally plugs in a Memory-Stick and wants to copy files from and to the stick, the machine is unlocked and he has probably admin-privileges on the machine.

In this case the popup would tell the user "some HID device is connecting - continue". At this moment the user knows that something is wrong. He will click "disable the HID device" or will immediately remove the malicious USB device.


Lets think about a Goerge Orwell Scenario. Any secret service of any country manufactures cheap memory stick with this hack in the USB device firmware. This secret service could get ALL information of any computer that once get a device of this type plugged in.  In combination with virus attack-downloads that will additionally be able to infect any file on the system, this is a huge and mighty threat.

Which device management software could handle this? This would probably be the solution that I am looking for.
0
 
LVL 57

Expert Comment

by:McKnife
ID: 40245888
You read my comment to the end? Kaspersky's AV does that.
Also I once wrote a script that disables USB mass storage devices if they are plugged in and their ID is not on a whitelist that I maintained - but the device would install and "live" for a fraction of a second until my script uninstalls it. It was done through  event triggered tasks. but this fraction of a second could already be to long if we are paranoid.
0
 
LVL 12

Author Closing Comment

by:HugoHiasl
ID: 40252764
Thanks for those detailed information.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Assume you have an outside contractor who comes in seasonally or once a week to do some work in your office, but you only want to give him access to the programs and files he needs and keep all other documents and programs private. Can you do this o…
When you try to share a printer , you may receive one of the following error messages. Error message when you use the Add Printer Wizard to share a printer: Windows could not share your printer. Operation could not be completed (Error 0x000006…
This Micro Tutorial will give you a introduction in two parts how to utilize Windows Live Movie Maker to its maximum capability. This will be demonstrated using Windows Live Movie Maker on Windows 7 operating system.
The viewer will learn how to user default arguments when defining functions. This method of defining functions will be contrasted with the non-default-argument of defining functions.
Suggested Courses

825 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question